让进程在系统中更加隐蔽(2) 一般来说一个后门程序需要更改系统的某些文件来让程序在系统启动执行这个程序， 又要在某个地方保留这个程序（一般是在硬盘）。如果有什么办法不这样做又让程序在 系统中运行的话，就可以使后门程序更加隐蔽。也就是说程序在硬盘上找不到在系统的 启动配置中没有这有项。真正要做到这样好象不太现实，但可以采用简单的方法：在程 序被执行后删除程序文件和启动文件中被更改的部分，然后在系统被关闭前保留程序文 件和更改启动文件，让它在系统启动时又能被执行。 程序是一个可执行文件在被执行时系统会把它保护起来，如果要删除它需要更改系 统！很麻烦！可以把代码放到其他程序中作为另外进程的线程来运行既利用创建远程线程 函数。系统被关闭一般有三种情况：正常关机，掉电(不正常关机),一键关机(按下power). 对于正常关机，程序会收到CTRL_SHUTDOWN_EVENT的信号，一键关机，可以简单的使用钩子 但掉电(不正常关机)老农实在想不出办法。好在一般的nt服务器很少这种情况。 在nt系统下用CreateService来注册一个服务，当然是在系统SHUTDOWN前。在启动时 用DeleteService删除这个服务,保存一个程序文件在虚拟内存中,删除在硬盘上程序-process in the system to allow a more subtle (2) In general a backdoor procedures need to change the system to certain documents procedures for the system to initiate the implementation of this procedure, but also to retain a place in the process (usually in a hard disk). If there is any way to do so without letting procedures in the system running, then we can process more subtle back door. In other words procedures not found in the hard disks on the system's configuration did not start with this item. Really want to do so it did not seem realistic, but it is a simple approach : in the process would be implemented to delete files and startup files were altered, Then the system was closed down before the document retention procedures and changes in startup files, it started when the sy